HEC Montréal: Follow-up on the Large-Scale Mail Installation

How did HEC Montréal's new mail installation handle the spam and virus explosion of early 2004?

The May 2004 issue of Linux Journal features an
article that discusses the large-scale mail installation we did at HEC
Montréal at the end of 2003. The present article describes how the
system handled the recent e-mail worm explosion. It provides relevant
information and statistics about the efficiency of
unsolicited bulk email (UBE) prevention and virus protection policies
now in place at HEC Montréal.

HEC Montréal is Canada's first management school, founded in 1907.
Over 11,000 students and 220 career professors are active every year.
Furthermore, each student that graduates from HEC Montréal is provided
with a lifelong e-mail account; over 35,500 accounts are active
to date. As with many organizations, the e-mail infrastructure at HEC
Montréal is a critical component that cannot perform at anything less
than optimal functionality.

As this article explains, the new infrastructure not only
excels in performance and stability, but it also allows HEC
Montréal
to save money. Thus, it benefits from an accelerated return on
investment (ROI). Emmanuel Vigne, Information Director at HEC
Montréal, put it this way:"Without the new mail infrastructure, we likely wouldn't have survived
the recent e-mail worms crisis. We probably would have closed all
servers in order to limit the damage. With the new infrastructure, we
went through this crisis without issues or outages. Our network
analysts can now focus on developing tools to manage more
efficiently the infrastructure, as they are no longer always fixing
issues with regard to the mail servers."

Implemented solution

The implemented solution was based mostly on open-source components.
A total of 11 servers, mostly IBM xSeries, and storage array networks (SAN) are used in the new
infrastructure. Figure 1 depicts the architecture of the implemented
solution.

Figure 1. Architecture of the Solution

The core of the new mail infrastructure is based on components with
industry proven track records. The components are:

To get a full description of the implemented solution, please refer to
the May 2004 edition of Linux Journal.

Recent Attacks

Although UBEs continued to grow at an alarming rate, at the beginning of
2004, we also have seen of e-mail worms. Those worms
spread themselves over the Internet as attachments to infected mail.
The attached files are all Windows portable executable (PE) EXE files
affecting various versions of Microsoft Windows. Table 1 describes
some of the most popular e-mail worms we have seen in the first three
months of 2004.

Table 1. Recent Internet Worms

Worm

Description

MyDoom.A

MyDoom.A, also known as Novarg, had the most impact at the beginning of 2004. Once it has
infected a computer, the worm uses its own SMTP engine to send files
(while harvesting the addresses found in those files) with the
following extensions: asp, dbx, tbb, htm, sht, php, adb, pl, wab and
txt. The worm also contained a backdoor function programmed to launch a
Denial of Service (DoS) attack on
www.sco.com on February 1st, 2004,
by sending HTTP GET requests every millisecond to port 80 of the
attacked site. MyDoom.A also has two well-known modifications,
MyDoom.B and MyDoom.E. The first one is similar to MyDoom.A, but it also
carries out a DoS attack on www.microsoft.com and replaces the
standard Windows host file with its own to prevent access to domains
of anti-virus software companies. Finally, MyDoom.E
(also called MyDoom.F) is similar to MyDoom.A; it also is
programmed to carry out a DoS attack on www.microsoft.com and www.riaa.com.
In addition, it searches for more file extensions in order to send
copies of itself and randomly deletes files with avi, bmp, doc, jpg,
mdb, sav and xls extensions.

Bagle.A

Beside replicating itself with its own SMTP engine (with
harvested e-mail addresses from various files), Bagle.A also opens a
backdoor on port 6777 to listen for commands (allows an attacker to
download files and execute commands on the infected computer).
Similar to its predecessor, Bagle.B opens a backdoor on port 8866.
Bagle.C, Bagle.D and Bagle.E are mostly identical: they all open a
backdoor on port 2745 and block anti-virus database updates by
terminating update processes from a list of well-known vendors.
Finally, Bagle.F is similar to Bagle.C, but it also propagates to P2P
networks.

NetSky.C

Like the first two worms, NetSky.C searches for files with
many extensions and harvests e-mail addresses from them. It then sends
a copy of itself to these addresses--using its own SMTP engine--directly
to the message's recipient server. If it fails, it uses a list of
predefined SMTP servers. NetSky.D, also known as SomeFool, is similar
to NetSky.C but is programmed to delete MyDoom from the infected
machine.

As you can expect, those viruses make a huge economical impact,
calculated in terms of help desk support, overtime payments, false
positives, bandwidth clogging, transient storage consumption,
productivity erosion, management time reallocation and cost of
recovery. Various industry estimates speculate that global businesses lost $55
billion in 2003 due to viruses, up from $30 billion in
2002 and $13 billion in 2001. Other research papers show that
a typical user spends 4.4 seconds taking action against an e-mail.
As an example, if we take the 25 most-spammed employees at HEC
Montréal and set the average annual salary at $46,618 CAN, we can
proceed with an estimate of productivity cost for the first three months
of 2004. Table 2 shows the cost worksheet.

Table 2. Cost Worksheet

Criteria

Value

Number of employees

25

Average annual salary

$46,618 CAN

Number of UBEs that would have been delivered to them for
the first three months of 2004

172,887

Time to identify and discard each UBE

4.4 seconds

Total amount of time lost in the first two months of 2004
for those employees

33 days

Total cost for the first two months

$6,157 CAN

Some analysts quantified the annual cost of spam at $8.9 billion for
US corporations and $2.5 billion for European businesses in 2002. In
2003, the numbers increased and reached $10 billion for the US and
over a $1 billion for Canada. This tendency most likely will
continue, and some estimate that over 8.8 billion UBEs will be sent daily in 2004,
compared to 7.3 billion in 2003 and 5.6 billion in 2002.

"Our library director can now efficiently use his e-mail account.
Before the new system was put in place, he was receiving hundreds of
spam every week. Going through his e-mail during the day in order to
respond to student requests was relatively painful and the associated
productivity erosion was high", said Emmanuel Vigne. Nevertheless,
although tallying the true cost of spams and viruses is relatively hard,
HEC Montréal certainly saved money by reducing the loss of productivity
of its employees due to UBEs and e-mail worms.

Now days email is so user friendly and easy to set up. You use to need an I.T. guy anytime you needed to integrate emails, or set up a brand new email system. Now pretty much everything is integrated making most websites, or html email accessible. Wordpress for example comes with automatic email installation. Just goes to show how far we've come with technology. fulfillment companies

If their services are anything like ours, their graph of service utilization doesn't clearly represent the real use of their IMAP services. A POP3 user will typically poll the server regularly, causing a connection to be logged each and every time, where it's not uncommon for IMAP users to remain connected throughout the day, showing only one connection initated.

For IMAP utilization, it is usually more interesting to look at the number of concurrent POP and IMAP connections, as this often more closely reflects the real load on the server.

Of course, I could also be entirely wrong about how they're graphing their results.

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.